• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 800
  • Last Modified:

Setting up an "isolated" subnet

I work at a university in a laboratory where our network is really dependant upon the universities network being up. One particular laboratory that we have has instruments that connect to a "box" that translates the instruments RS-232 signals to TCP/IP. That "box" has an ethernet cable that connect to a dataport which is behind a firewall. The firewall router is "managed" by our university IT at another location. We then have a Dell PowerEdge 2900 server in the lab that runs software to control the instruments through the "box".

We don't want these instruments to be dependant upon the university network being up...we had an experience where our firewall routers power was "accidentally" turned off and all our PC's in the lab began losing network access. What we would like to do is go directly from the "box" into the PowerEdge server without begin dependant upon the university's firewall router.

Seems like I should be able to connect our "box" directly into a router in the lab but I'm not so sure I know how to accomplish this. Can someone offer advice or point me to documentation on how best to set this up?
2 Solutions
have you got a switch behind the firewall where your server and box connects to? If you have you could just put all the devices that you want isolated in a vlan that only exists on that switch and has no route out ot the rest of the network, that way if your router goes down, as long as the switch is still up they can all communicate, this does assume that the box and the server are the same subnet?
Depends o what is in the BOX ?

It may simply be enough to disconnect it, after powering down, and connecting it to your router/ switch.

You need documentation on the Box .

I hope this helps !
jb61264Author Commented:
I currently do not have a switch or router but we will be willing to purchase one...any recommendations on what to buy?

The "box" is a custom built device that includes 8 moxa devices (each connects to one instrument we are controlling)...these 8 devices connect into one "gateway" box that ends in a single ethernet cable that is currently connected to a university network dataport.

I'd basically like to come out of the "gateway" box with the ethernet cable and go into something (router?) that allows me to then directly go into the back of my PowerEdge 2900 server.

jonmckinlay, I think you have the idea of what I'm trying to do...essentially I want to be completely isolated from the university's network but still be able to use the TCP/IP required to communicate with my lab instruments via TCP/IP
Fred MarshallCommented:
Are you sure you want to be *completely* isolated from the U. network?  Then, presumably, you'd have no internet access or campus acces or .....

I think you probably have two kinds of computers in the lab:
1) those that need to be reached/seen from outside
2) those that don't need to be seen from outside.

I don't know how many of each there are so here is a simple, small lab setup:

Get a simple commodity router that's used in homes and small offices.  

(For the sake of making an example, I'm going to assume that the University network is on a private IP address range  i.e. to with 65,536 available addresses.
So, we're going to choose a totally different private address range for the lab computers type #2.  Namely: with room for 254 computers or IP addresses.)

Assign IP address range to the LAN side of the router.    Assign to the LAN port on the router.

Assign an appropriate IP address to the WAN/Internet side of the router as a fixed IP address that matches what the University requires on the LAN side of your firewall - just like any of the type #1 computers.  In effect, the router will be one of those computers.

Plug all of the #2 type computers into the LAN side of the router and use the router's DHCP / "Get IP address automatically" on the clients or assign all of the type #2 computers static IP addresses in the 172.... range.  The router's LAN port address will be the "gateway" for all of these computers.

Plug all of the #1 type computers into the firewall as now.  In general, these computers won't be able to "see" any of the type #2 computers unless you add a route to each of them like this:

route add -p mask 192.168.xxx.yyy
where 192.168.xxx.yyy is the WAN IP address of the router.

This tells the #1 computers that they can reach the lab subnet computers by sending them to the router.

In turn, the lab computers' router will send packets destined for the type #1 computers to the router and, from the router will go directly to any of those computers.

In general, the lab computers will be able to reach the university network but not the reverse except for responses coming back to them.  More to that story in another chapter.....

Now, if you want the #1 computers to continue to be able to communicate with one another when the firewall is down, then do this:

Buy a simple switch with as many ports as there are computers/ router above / plus one.  Plug all the type #1 computers into the switch.  Plug the added router into the switch.  Plug the firewall into the switch with one cable.

Now all the type #1 computers can "see" each other even when the firewall is turned off.  

Maybe all you have are type #1 computers really - then you don't need the added router.  It came about when you said "isolate" ...... but maybe all you meant was "be independent".


Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now